diff --git a/src/macosx/classes/apple/security/KeychainStore.java b/src/macosx/classes/apple/security/KeychainStore.java index 59d6de7320b7eb34774f0710f5d6405ce5913532..034d6d43308245d72064fdb268cfd12b134c5f8e 100644 --- a/src/macosx/classes/apple/security/KeychainStore.java +++ b/src/macosx/classes/apple/security/KeychainStore.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2011, 2019, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2011, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -226,6 +226,9 @@ public final class KeychainStore extends KeyStoreSpi { // Get the Algorithm ID next DerValue[] value = in.getSequence(2); + if (value.length < 1 || value.length > 2) { + throw new IOException("Invalid length for AlgorithmIdentifier"); + } AlgorithmId algId = new AlgorithmId(value[0].getOID()); String algName = algId.getName(); diff --git a/src/share/classes/java/security/PKCS12Attribute.java b/src/share/classes/java/security/PKCS12Attribute.java index e3898628820fed51cd73575de5c11c4c7b4cb0b5..4693e265518a7f47eaabb3088574d7c61f9d91d6 100644 --- a/src/share/classes/java/security/PKCS12Attribute.java +++ b/src/share/classes/java/security/PKCS12Attribute.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2013, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -252,6 +252,9 @@ public final class PKCS12Attribute implements KeyStore.Entry.Attribute { private void parse(byte[] encoded) throws IOException { DerInputStream attributeValue = new DerInputStream(encoded); DerValue[] attrSeq = attributeValue.getSequence(2); + if (attrSeq.length != 2) { + throw new IOException("Invalid length for PKCS12Attribute"); + } ObjectIdentifier type = attrSeq[0].getOID(); DerInputStream attrContent = new DerInputStream(attrSeq[1].toByteArray()); diff --git a/src/share/classes/sun/security/pkcs/ContentInfo.java b/src/share/classes/sun/security/pkcs/ContentInfo.java index bc78d0f1c0da81234d974aae428067aceeb88041..78417124afea827b3b61d829cc20d2b5cb21da17 100644 --- a/src/share/classes/sun/security/pkcs/ContentInfo.java +++ b/src/share/classes/sun/security/pkcs/ContentInfo.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -130,6 +130,9 @@ public class ContentInfo { DerValue[] contents; typeAndContent = derin.getSequence(2); + if (typeAndContent.length < 1 || typeAndContent.length > 2) { + throw new ParsingException("Invalid length for ContentInfo"); + } // Parse the content type type = typeAndContent[0]; @@ -149,6 +152,9 @@ public class ContentInfo { disTaggedContent = new DerInputStream(taggedContent.toByteArray()); contents = disTaggedContent.getSet(1, true); + if (contents.length != 1) { + throw new ParsingException("ContentInfo encoding error"); + } content = contents[0]; } } diff --git a/src/share/classes/sun/security/pkcs/SignerInfo.java b/src/share/classes/sun/security/pkcs/SignerInfo.java index 3053d348011d1e2b0825aee74524dae485c9d27b..03d072b58807d6ccd67b7449ca0ad65dc0654f31 100644 --- a/src/share/classes/sun/security/pkcs/SignerInfo.java +++ b/src/share/classes/sun/security/pkcs/SignerInfo.java @@ -144,6 +144,9 @@ public class SignerInfo implements DerEncoder { // issuerAndSerialNumber DerValue[] issuerAndSerialNumber = derin.getSequence(2); + if (issuerAndSerialNumber.length != 2) { + throw new ParsingException("Invalid length for IssuerAndSerialNumber"); + } byte[] issuerBytes = issuerAndSerialNumber[0].toByteArray(); issuerName = new X500Name(new DerValue(DerValue.tag_Sequence, issuerBytes)); diff --git a/src/share/classes/sun/security/pkcs12/MacData.java b/src/share/classes/sun/security/pkcs12/MacData.java index 93bfef14b6c322c4978369bbac028ffd7a28e993..dc5716ff558b518e627c97cc0d25a13dbc0792f1 100644 --- a/src/share/classes/sun/security/pkcs12/MacData.java +++ b/src/share/classes/sun/security/pkcs12/MacData.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2007, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -59,10 +59,16 @@ class MacData { throws IOException, ParsingException { DerValue[] macData = derin.getSequence(2); + if (macData.length < 2 || macData.length > 3) { + throw new ParsingException("Invalid length for MacData"); + } // Parse the digest info DerInputStream digestIn = new DerInputStream(macData[0].toByteArray()); DerValue[] digestInfo = digestIn.getSequence(2); + if (digestInfo.length != 2) { + throw new ParsingException("Invalid length for DigestInfo"); + } // Parse the DigestAlgorithmIdentifier. AlgorithmId digestAlgorithmId = AlgorithmId.parse(digestInfo[0]); diff --git a/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java b/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java index 003f171f4cf37460242fe3c348db5a15f670c65b..85163e50bace6520cce9f78d3d5ac9d1e4e447ee 100644 --- a/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java +++ b/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -389,6 +389,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi { DerInputStream in = val.toDerInputStream(); int i = in.getInteger(); DerValue[] value = in.getSequence(2); + if (value.length < 1 || value.length > 2) { + throw new IOException("Invalid length for AlgorithmIdentifier"); + } AlgorithmId algId = new AlgorithmId(value[0].getOID()); String keyAlgo = algId.getName(); @@ -2000,11 +2003,17 @@ public final class PKCS12KeyStore extends KeyStoreSpi { DerInputStream edi = safeContents.getContent().toDerInputStream(); int edVersion = edi.getInteger(); - DerValue[] seq = edi.getSequence(2); + DerValue[] seq = edi.getSequence(3); + if (seq.length != 3) { + // We require the encryptedContent field, even though + // it is optional + throw new IOException("Invalid length for EncryptedContentInfo"); + } ObjectIdentifier edContentType = seq[0].getOID(); eAlgId = seq[1].toByteArray(); if (!seq[2].isContextSpecific((byte)0)) { - throw new IOException("encrypted content not present!"); + throw new IOException("unsupported encrypted content type " + + seq[2].tag); } byte newTag = DerValue.tag_OctetString; if (seq[2].isConstructed()) @@ -2218,6 +2227,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi { } else if (bagId.equals((Object)CertBag_OID)) { DerInputStream cs = new DerInputStream(bagValue.toByteArray()); DerValue[] certValues = cs.getSequence(2); + if (certValues.length != 2) { + throw new IOException("Invalid length for CertBag"); + } ObjectIdentifier certId = certValues[0].getOID(); if (!certValues[1].isContextSpecific((byte)0)) { throw new IOException("unsupported PKCS12 cert value type " @@ -2233,6 +2245,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi { } else if (bagId.equals((Object)SecretBag_OID)) { DerInputStream ss = new DerInputStream(bagValue.toByteArray()); DerValue[] secretValues = ss.getSequence(2); + if (secretValues.length != 2) { + throw new IOException("Invalid length for SecretBag"); + } ObjectIdentifier secretId = secretValues[0].getOID(); if (!secretValues[1].isContextSpecific((byte)0)) { throw new IOException( @@ -2271,6 +2286,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi { byte[] encoded = attrSet[j].toByteArray(); DerInputStream as = new DerInputStream(encoded); DerValue[] attrSeq = as.getSequence(2); + if (attrSeq.length != 2) { + throw new IOException("Invalid length for Attribute"); + } ObjectIdentifier attrId = attrSeq[0].getOID(); DerInputStream vs = new DerInputStream(attrSeq[1].toByteArray()); diff --git a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java index f2c23b991b7ecfa1c24758b4f23ef6fd6e62ce8a..933c6a036ded432eaf36144a28ab8e6af2d66bc6 100644 --- a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java +++ b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -261,7 +261,7 @@ public final class OCSPResponse { DerInputStream basicOCSPResponse = new DerInputStream(derIn.getOctetString()); - DerValue[] seqTmp = basicOCSPResponse.getSequence(2); + DerValue[] seqTmp = basicOCSPResponse.getSequence(3); if (seqTmp.length < 3) { throw new IOException("Unexpected BasicOCSPResponse value"); }